From: Lennart Poettering Date: Thu, 19 Nov 2020 10:14:41 +0000 (+0100) Subject: seccomp: move brk+mmap+mmap2 into @default syscall filter set X-Git-Tag: v247~45 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5abede3247591248718026cb8be6cd231de7728b;p=thirdparty%2Fsystemd.git seccomp: move brk+mmap+mmap2 into @default syscall filter set These three syscalls are internally used by libc's memory allocation logic, i.e. ultimately back malloc(). Allocating a bit of memory is so basic, it should just be in the default set. This fixes a couple of issues with asan/msan and the seccomp tests: when asan/msan is used some additional, large memory allocations take place in the background, and unless mmap/mmap2/brk are allowlisted these will fail, aborting the test prematurely. --- diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index 6ca2c5713dd..c02035c80f6 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -282,6 +282,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { .name = "@default", .help = "System calls that are always permitted", .value = + "brk\0" "cacheflush\0" "clock_getres\0" "clock_getres_time64\0" @@ -319,6 +320,8 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "getuid\0" "getuid32\0" "membarrier\0" + "mmap\0" + "mmap2\0" "nanosleep\0" "pause\0" "prlimit64\0" @@ -468,8 +471,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "mkdirat\0" "mknod\0" "mknodat\0" - "mmap\0" - "mmap2\0" "munmap\0" "newfstatat\0" "oldfstat\0" @@ -844,7 +845,6 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "@signal\0" "@sync\0" "@timer\0" - "brk\0" "capget\0" "capset\0" "copy_file_range\0"